On Fri, Mar 28, 2008 at 12:58 PM, Jason Pruim <japruim@xxxxxxxxxx> wrote:
>
>
> On Mar 28, 2008, at 12:40 PM, Eric Butera wrote:
> > On Fri, Mar 28, 2008 at 12:28 PM, Jason Pruim <japruim@xxxxxxxxxx>
> > wrote:
> >> $chpwold[] = mysqli_query($chpwpostlink, $oldpasswordquery) or
> >> die("Sorry read failed: ". mysqli_error($chpwpostlink));
> >> $chpwresult = $chpwold[0];
> >
> > Why would you pump that into an array instead of just calling it
> > result itself? I'd say you're just making it harder on yourself for
> > no apparent reason.
> >
> > The problem seems to be on your other line.
> >
> > $chpwrow[] = mysqli_fetch_assoc($chpwresult) or die('Sorry it didn\'t
> > work....' .mysqli_error($chpwpostlink));
> > echo $chpwrow['loginPassword'];
> >
> > Just fetch the row into a single variable and not an array. In your
> > example you'd need to access chpwrow[0]['loginPassword'] assuming it
> > was an empty array up to that point.
> >
> >
> > Calling things old query and old password isn't really adding any
> > value to your code. If you're only going to use it once then throw it
> > away call it result so it is easier to read and understand. But then
> > again feel free to ignore this.
>
> In the scope of my application since I'm checking the currently stored
> password before updating to a new password $oldpasswordquery makes
> sense, at least to me :)
>
>
>
> > Also is there a reason why you aren't
> > using prepared statements?
>
> a prepared statement seemed like alot of overkill for a simple check
> to see if the old pass matches what was stored in the database... And
> I didn't realize that you could use prepared statements for SELECTing
> rather then UPDATEing... But I'll look into that more, since I know
> that prepared statements make it much harder to do Sql injection
> attacks....
>
>
>
> >
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>
>
>
> --
>
> Jason Pruim
> Raoset Inc.
> Technology Manager
> MQC Specialist
> 3251 132nd ave
> Holland, MI, 49424-9337
> www.raoset.com
> japruim@xxxxxxxxxx
>
>
>
>
It isn't just about sql injection, it's also about not letting your
application break because of user input. Getting errors because
someone puts an apostrophe in the form is bad. If I were using your
site and I saw my search term break a page I'd leave because there are
thousands of other sites that can get it right.
http://us2.php.net/manual/en/function.mysqli-prepare.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
